Security Researchers Score Win Against Conficker Worm

Security vendors are taking advantage of a discovery by two members of the Honeynet Project who uncovered a new way to detect the Conficker worm on infected PCs. McAfee and Qualys are said to be among the vendors updating their scanning tools with the new detection method.

Security pros have uncovered a new technique for detecting PCs infected by
the Conficker worm.
The technique is based on a discovery by members of the Honeynet Project, which
found that Conficker's attempts to cloak itself from network administrators may
have backfired. As part of its defenses, Conficker deploys a fake patch for the
Microsoft
vulnerability it exploits that researchers have speculated is meant both to
fool admins into thinking systems are patched and to keep other types of
malware from exploiting the vulnerability.

However, Honeynet Project researchers Felix Leder and Tillmann Werner noted
there are flaws in the way Conficker "patches" these compromised
systems that can be used to detect
if a PC is infected with Conficker. The discovery prompted members of the
Conficker Cabal-a group of researchers and vendors fighting Conficker-to begin
working on ways to use the discovery to help network scanners detect the worm.

"What we've found is pretty cool: Conficker actually changes what
Windows looks like on the network, and this change can be detected remotely,
anonymously and very, very quickly," Dan Kaminsky, director of penetration
testing for IOActive, wrote on a blog. "You can literally ask a server if
it's infected with Conficker, and it will tell you."
He explained that the worm "makes NetpwPathCanonicalize() work quite a
bit differently than either the unpatched or the patched MS08-067 version."
Leder and Werner are slated to come out with a paper later the week of March 30
that describes the situation in more detail, and have released a proof-of-concept
scanner of their own that can detect the differences in the patch.
Several scanning tool makers are reportedly taking advantage of the
discovery in offerings such as the open-source tool Nmap and technology from
vendors such as Qualys and McAfee.

Conficker first appeared late in 2008 targeting a flaw in Microsoft's
Windows Server service. The latest variant, dubbed Conficker C but also known
as Downadup and Conficker D, is programmed to begin contacting 500 domains from
a list of 50,000 domain names starting April 1.